Risk assessments for GDPR compliance

When I was studying for CISA and CISM certifications, I read a lot about Business Impact Analysis and the Risk Management Process. That was cool because Ariadnex was ISO 27001 compliance and I had to help them to be ready compliance with this kind of processes. Today, we have also to be GDPR compliance where all EU citizens have cyber rights from the new GDPR. This is a good opportunity for reinforce my knowledge about risk assessments because it is essential for the new regulation.

All businesses have to comply with GDPR because most of them process personal data of its employees for salaries, benefits and social security. Most of them have also a recruitment process or they evaluate their employees. There are also companies which they store and process lots of personal data for advertising campaigns or they process sensitive data as the health sector does. Therefore, there is personal data processing everywhere and these businesses have to comply with the new regulation.

The first step for compliance is to know what personal data the company is processing because we’ll have to define and design the processing operation of personal data as well as the processing purpose. Once this is done, we can use tools such as Facilita which tell us what we have to do with personal data processing. If we don’t have too much personal data and the risk level is low, maybe, we only have to do some paper work and buy some tech stuff.

Workflow for GDPR compliance
However, if we have too much personal data or sensitive data, we should evaluate a proposal to identify potential effects on individuals’ privacy and personal data. Therefore, we have to know if a basic risk assessment is enough for the company or it will be necessary a Data Protection Impact Assessment (DPIA), which is an exhaustive process known as privacy by design where projects are designed with data protection in mind from the beginning.

If the company doesn’t have high risk personal data processing, we’ll have to do a basic risk assessment. This risk assessment will have to take into account the loss of integrity, availability and confidentiality for personal data protection and it will also have to take into account rights and freedoms of individuals. However, this risk assessment shouldn’t be a exhaustive risk assessment but a essential one where only critical risks should be considered such as unauthorized access, unintentional loss or lack of procedures.

Finally, if the company has high risk personal data processing, we’ll have to do an exhaustive risk assessment through the DPIA process where we evaluate impact and the threat occurrence probability of risks to know the level of risk of each personal data processing activity. I know, it is a demanding work but mandatory for GDPR compliance.

Regards my friends and remember protecting your data!!